If your company uses Zyxel networking products, it’s high time to act immediately after a wave of active exploitation attempts hit against a critical remote code execution (RCE) flaw (CVE-2023-28771).
Attackers are exploiting a vulnerability in Zyxel’s broadband customer premise equipment, which utilizes an insecure version of the Internet Key Exchange (IKE) protocol’s packet-decrypting function, which is made publicly available on UDP Port 500, to arbitrarily commandeer affected devices.
The vulnerability, which Zyxel patched on April 25, 2023, affects a range of Zyxel ATP, USG Flex, VPN and ZyWALL/USG series firewalls and VPNs, specifically versions V4. 60 to V5. 35, and ZyWall/USG V4. 60 to V4. 73).
While a patch is available, security firm GreyNoise has recently detected a localized spike in attack attempts on 16 June 2025, coming from hundreds of distinct IPs suggests an organized and alive campaign.
A memory corruption condition is triggered as the unauthenticated attacker to run arbitrary operating system commands as root. This provides complete system compromise and has been associated with the recruiting of compromised devices into Mirai based botnet versions, typically for the purpose of conducting DDoS attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) included this CVE in its Known Exploited Vulnerabilities Catalog, indicating its high and current threat level.
Recommendations for Defense
Zyxel device users and organizations are recommended to:
Patch Now: Update all affected Zyxel products to the final firmware release.
Review Exposure: Confirm that any Zyxel devices exposed to the internet are updated and configured correctly.
Monitor activity: Strongly monitor for any abnormal activity on impacted systems – searching for signs of botnet recruitment or compromise.
Restrict Access: As a best practice, configure routing and firewall access control policies or mechanisms in order to minimize the exposure of the IKE/UDP port 500.
The current wave of attacks targeting this well-known weakness in systems is a potent reminder that patching and security diligence are necessary to prevent the compromise of networks.
